Securely Using Wireless Internet Connections

In recent weeks, we have seen some alarming news stories related to the dangers of having insufficient security in place on wireless networks. There was the man from Buffalo, NY who had Immigration and Customs Enforcement officers barge into his house in the early morning because someone used his unsecured wireless network to download child pornography.  There was also the local case of a man who used equipment in his car to find unsecured wireless networks in order to steal credit card and personal information. In light of these recent events, we are sharing some steps that your nonprofit can take to avoid being victims of these kinds of crimes.

Move your wireless router off of the Wired Equipment Privacy (WEP) protocol.

WEP has been a known security problem for years, and we have long recommended that clients switch to the more secure WPA2 protocol. (Here Datalogic provides a great write-up on the different kinds of wireless security protocols and the pros and cons of each.) If your wireless equipment was manufactured after 2006, it should have the ability to use the WPA2 protection, and your organization should replace your wireless equipment if it will not allow you to use WPA2. Older computers and those running outdated operating systems may not be equipt to use the WPA2 protocol, and these sort of security concerns are among the reasons why we recommend keeping operating systems updated and replacing computers that are more than five years old. Make sure that computers unable to use WPA2 are not in a position to need a wireless connection, so that you are not forced to compromise your entire network for that device.

Always require a password to access your wireless network.

Even if users on wireless networks can’t access your server files, you still want to have a secure password on your network. Definitely don’t use the password that came with your wireless router, as those are the first that hackers will try.  Some tips for creating good passwords include:

• Use a password that is at least 8 characters long.
• Don't use dictionary words.
• Use mixed-case letters along with numbers and punctuation.

In addition, you should change your passwords periodically, especially after staff departures, and make sure to keep any written copies of your password stored securely – no post-its on monitors or under keyboards.

Give your wireless network a good name.

It may not be the best idea to use your organization's name as the name of their wireless network as it could identify your network as a more valuable target than other networks in the area. Organizations with special security concerns, for instance a domestic violence shelter, also shouldn’t use their name as it will give away their location to anyone passing by with a smartphone or computer. It’s best to choose less obvious words or phrases to make the hackers job much more difficult.

Use caution when accessing organization data via public wifi.

Using publicly available wireless networks – like those at your local coffee shop or the airport – will never be as secure as using a private and secured network, so there are steps to follow to ensure your information stays secure:

• Enable your computer’s firewall when using your computer in public. In addition, firewall that comes with Windows XP, Vista and 7 can be configured with higher security settings when using public wireless.
• Use caution when entering password and financial information over a public network. Make sure that when you do this the site you are using is secured – you will see https:// at the beginning of web addresses and many browsers will display a locked padlock in the address bar.
• Avoid using FTP to upload documents or files on public networks, as traffic is typically not encrypted. Instead, use VPN connections as those have much better security.
• If you keep organization data saved on your computer, you should consider encrypting those files. The newer versions of Windows make it pretty easy to encrypt and decrypt files, but be sure to back up your encryption certificate to ensure that you will be able use these files.

Staff members’ home wireless networks should also be secure.

Any staff that accesses organization data from home should ensure that their home wireless network is also secure. Many businesses and nonprofits will include the security of home network in their IT policies and employee rules, as data can be compromised due to insecure home access. Share these tips with your staff or otherwise give them guidance on how to secure their wireless network to protect your organization's data along with their personal information.

Additional Protective Steps

Data security firm Sophos outlines some other possible security steps in their article on securing wireless networks including using MAC address filtering to prevent unknown devices from accessing your network. We have historically not set up this feature for the majority of our clients due to the increased support necessary to maintain those settings, and have only used them in cases where the client required higher security needs or if they were frequent targets of attack.

Do you know which wireless protocol (WEP vs WPA2) your nonprofit has in place? Do you have policies regarding home wireless and network security? Join the conversation in the comments, and nonprofits can also contact us if you would like our expert network consultants to assist you with your wireless security setup or policies.

- Elaina Buzzell